Microsoft Fixes Zero-Day Bug in July Patch Tuesday

Microsoft released patches for 16 security vulnerabilities yesterday, including a bug affecting Microsoft XML Core Services that is being exploited in the wild. Three of the nine bulletins are rated "critical."

The zero-day vulnerability in Microsoft Core XML MS12-043 disclosed in early June was actively being exploited in the wild. The latest security update only fixed the heap overflow issue in MSXML versions 3, 4, and 6. Organizations running version 5, which corresponds to Office 2003 and 2007, should make sure to apply the interim FixIt measures until a future update is available. The other two critical vulnerabilities have not yet been exploited, but Microsoft predicted reliable exploit code may be available within 30 days.

The update also included a critical patch for Internet Explorer 9, the latest version of Microsoft's popular browser. The IE9 bulletin, MS12-044, swats two security bugs that can be exploited to remotely execute code.

"Apply this patch as quickly as possible if you run IE9. The exploitability index is 1, meaning that Microsoft believes that it is easy for attackers to reverse-engineer the patch and develop an exploit," blogged Wolfgang Kandek, chief technology officer of Qualys.

"What makes MS12-044 more interesting is that it's the product of an accelerated update cycle that Microsoft has been working on. In the past, Internet Explorer was updated only every two months—that was how long it took to get through all the compatibility testing required for a stable release. Now, Microsoft has streamlined this process to reduce the time needed by 50 percent."